users can't access chromecast or printers from isolated wifi

SOLVED
RPSystems
Here to help

users can't access chromecast or printers from isolated wifi

Hi

 

There's a setting in "Wireless > Firewall & Traffic Shaping" called "Layer 2 LAN Isolation". Previously, our wifi has not had this setting enabled, but another administrator on the network recently enabled it, and explained to me that this significantly improves network security. I would like to keep it enabled, but at the same time, no one can use printers or chromecasts in the network any more. I'd like to keep the best of both worlds with both increased security, while also allowing people to actually use these things. Is there a way to allow specific devices through the isolation somehow?

 

I've been talking to the other administrator a lot and tried everything he suggested but so far nothing has worked.

  • I've tried connecting both the chromecast and the printers via an ethernet cable, to the same VLAN, but that didn't work, even though the isolation is supposed to only affect wireless connections.
  • I've also tried placing the printer on a separate network, but that didn't help either (maybe I didn't do it correctly).
  • I've also tried changing the device policy to "whitelisted", didn't change anything.
  • And a few other things which I may have forgotten.

If you try to ping the IP address of the printer, you get a response from the default gateway saying that you don't have access to it. So my computer can find it, it's just being blocked.

 

I haven't tried accessing printers or chromecasts from a computer which is also connected via an ethernet cable, but that's not a solution.

 

If we're unable to solve this issue, I will likely be forced to disable this feature even if it puts the network at a greater risk than having it on.

 

I am not as experienced in network administration as the other administrator, but he has much less time to work on this than I do, so it's up to me. Please help me by explaining what to do step by step.

Thanks.

1 ACCEPTED SOLUTION

We already had an existing network created by the more knowledgeable IT admin designed to accommodate printers. Placing the printer in this network via an ethernet cable does allow computers connected via wifi to the main network to connect to the printer, so this solved that issue. However, chromecasts are still unreachable due to the way google implemented their automatic discovery. The only fix I could come up with here was to use a different SSID with isolation disabled, so that's what I ended up doing.

View solution in original post

9 REPLIES 9
Adam
Kind of a big deal

I believe the Layer 2 isolation would work counter to your goal here.  It will isolate all of the devices so they cannot communicate to each other.  If you need devices to be able to talk to each other you may want to disable layer 2 for that SSID. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.


@Adam wrote:

I believe the Layer 2 isolation would work counter to your goal here.  It will isolate all of the devices so they cannot communicate to each other.  If you need devices to be able to talk to each other you may want to disable layer 2 for that SSID. 


So you're sure that there is no way to have certain, specific, devices (such as a printer) bypass the isolation, but still have it on for everything else?

Adam
Kind of a big deal

According to this https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

 

"With Client Isolation enabled, clients will only be able to communicate with the default gateway and will not be able to communicate with any other devices on the same VLAN (or broadcast domain). In order for the wireless client to communicate with another device, the upstream gateway must be used to enable this communication (Eg Inter VLAN routing and ACLs). Any traffic bound for an address on the same VLAN as a device in client isolation will be denied. Traffic bound for other VLANs will be forwarded and routed normally."

 

So sounds like it may be possible if you are doing inter VLAN.  But I haven't tested this so I'll have to defer to other members of the group that use this functionality more often.  For our guest networks, I just use "NAT mode: Use Meraki DHCP" when I do not want the clients to be able to talk to each other.  When they do need to talk to each other I have a separate network/VLAN. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.


@Adam wrote:

According to this https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

 

"With Client Isolation enabled, clients will only be able to communicate with the default gateway and will not be able to communicate with any other devices on the same VLAN (or broadcast domain). In order for the wireless client to communicate with another device, the upstream gateway must be used to enable this communication (Eg Inter VLAN routing and ACLs). Any traffic bound for an address on the same VLAN as a device in client isolation will be denied. Traffic bound for other VLANs will be forwarded and routed normally."

 

So sounds like it may be possible if you are doing inter VLAN.  But I haven't tested this so I'll have to defer to other members of the group that use this functionality more often.  For our guest networks, I just use "NAT mode: Use Meraki DHCP" when I do not want the clients to be able to talk to each other.  When they do need to talk to each other I have a separate network/VLAN. 


Alright, thanks. We'll wait a little to give other community members a chance to reply. If no one else has a solution, I'll have to either disable isolation, or have a secondary network where isolation isn't enabled.

JohnM
Here to help

Layer 2 isolation is only in bridge mode, not Meraki NAT mode, so there you go.

 

You could turn on Meraki NAT so everyone gets an isolated subnet to themselves, and then add an ACL to permit traffic to just the printer IP address on the LAN, and then a Deny statement for everything else on the local LAN. That will work.

 


@JohnM wrote:

Layer 2 isolation is only in bridge mode, not Meraki NAT mode, so there you go.

 

You could turn on Meraki NAT so everyone gets an isolated subnet to themselves, and then add an ACL to permit traffic to just the printer IP address on the LAN, and then a Deny statement for everything else on the local LAN. That will work.

 


Not sure if I can do this, because the control panel tells me that bridge mode is what you want to use for shared printers (and some other things) and we do also have shared printers. I'm afraid if I change this setting, I'll break things even more.

It's sounding more like the best solution is to have a secondary wifi SSID running alongside the main one, and tell people who want to use chromecasts or their own printers to connect to this other (slightly less secure?) wifi instead.

We already had an existing network created by the more knowledgeable IT admin designed to accommodate printers. Placing the printer in this network via an ethernet cable does allow computers connected via wifi to the main network to connect to the printer, so this solved that issue. However, chromecasts are still unreachable due to the way google implemented their automatic discovery. The only fix I could come up with here was to use a different SSID with isolation disabled, so that's what I ended up doing.

can we have to connect both devices on same wifi network or not?

EricNathan
Here to help

I've have some success using the bonjour gateway. It does work somewhat. Certain apps have issues casting based on the way they implement the the device search. (i.e. Vudu) But I've found that Netflix and Google apps seem to work well. I implemented it by turning on Bonjour and adding all types. Bonjour is designed to pass that kind of traffic.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels